Re: [PATCH 1/1] arm64: syscall: Direct PRNG kstack randomization

From: Kees Cook
Date: Thu Mar 07 2024 - 14:11:17 EST

Next message: Jarkko Sakkinen: "Re: [PATCH v5 05/12] crypto: ecc - Implement vli_mmod_fast_521 for NIST p521"
Previous message: Andrea Parri: "Re: Question about PB rule of LKMM"
In reply to: Arnd Bergmann: "Re: [PATCH 1/1] arm64: syscall: Direct PRNG kstack randomization"
Next in thread: Arnd Bergmann: "Re: [PATCH 1/1] arm64: syscall: Direct PRNG kstack randomization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 07, 2024 at 12:10:34PM +0100, Arnd Bergmann wrote:
> For the strength, we have at least four options:
>
> - strong rng, most expensive
> - your new prng, less strong but somewhat cheaper and/or more
> predictable overhead
> - cycle counter, cheap but probably even less strong,
> needs architecture code.

Are the low bits of a cycler counter really less safe than a
deterministic pRNG?

> - no rng, no overhead and no protection.

For the pRNG, why not just add a reseed timer or something that'll
happen outside the syscall window, if that's the concern about reseeding
delay? (In which case, why not continue to use the strong rng?)

--
Kees Cook

Next message: Jarkko Sakkinen: "Re: [PATCH v5 05/12] crypto: ecc - Implement vli_mmod_fast_521 for NIST p521"
Previous message: Andrea Parri: "Re: Question about PB rule of LKMM"
In reply to: Arnd Bergmann: "Re: [PATCH 1/1] arm64: syscall: Direct PRNG kstack randomization"
Next in thread: Arnd Bergmann: "Re: [PATCH 1/1] arm64: syscall: Direct PRNG kstack randomization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]